New York privacy law to conflict with RIA monitoring requirements

New York state has passed a new law preventing companies accessing the private communications accounts of their staff. While there is a carveout in the law for entities that are required to monitor or maintain communications “under federal law or by a self-regulatory organization,” that leaves a bit of a gap in the RIA world.

In September 2023, New York state passed law A836 that will prohibit an employer from “requesting or requiring that an employee or applicant disclose any username, password, or other means for accessing a personal account through specified electronic communications devices.”

On the broker-dealer side of the industry, all communications are required to be retained and reviewed, and thus they are protected by the carve out. However, for RIAs, only communications that deal specifically with investment advice are required to be retained and reviewed. There of course is no easy way to separate just those communications from employee’s personal devices, and therein lies the problem.

Jeffrey Dinowitz, New York State Assemblyman and lead sponsor of the bill was asked if RIAs’ compliance efforts were considered when the bill was being drafted and debated. His response was: “I don’t recall them reaching out.” He added that: “the time to discuss that was before the law was passed. The time to do your homework is before you hand it in. It’s been signed, it’s done.” Unfortunately, it sounds like RIAs were not considered beforehand, and it’s too late to expect anything to be done now.

The rule will be going into effect 180 days after its initial passage, which will be in March 2024. We have been monitoring for comments from the SEC but have not seen any to this point. This may only affect New York firms, but according to the Investment Advisor Association as of 2021, 18.8% of advisory firms were headquartered in New York. so it is no small matter.

The question now is how should these organizations with employees based in New York be handling their oversight responsibilities? First off, if your electronic communications program is collecting data from employees’ personal devices or requires any sort of random review of personal devices, that practice will need to stop. Instead, these organizations should consider:

  • banning the use of personal devices for any business communications
  • supplying employees with work specific phones where any business communications need to take place – these phones can still be monitored
  • requiring employees to regularly attest that they are not engaging in business communications on their personal devices
  • implementing a section into your Compliance training program around these communications.

These first steps will at least show the SEC that your firm is taking this seriously and attempting to monitor the necessary communications, while also complying with the related laws.

There is still the question of what an organization should do if they have a bad apple that they suspect is skirting these rules. There is an exception in the rule that allows for an employer to request access to an employee’s personal phone if the employer is investigating potential misconduct, but the employer will want to make sure they have a strong case before making such a request as an unfounded request could open them up to potential lawsuits from their employees.

We can help

It will be interesting to see how different organizations and regulators plan to address this new issue, and we will be looking for clearer guidance from the regulator in the future. If your organization will be affected by these developments and you would like more guidance on how your firm can address this issue, please do not hesitate to contact us.